This post will cover installing and basic configuration of Tomcat 7 on CentOS 5.x.

The procedure can be used for Fedora and RHEL as well.

Tomcat 7 implements the JavaServer Pages 2.2 and Servlet 3.0 specifications and a number of new features. The Manager application also has a new look with finer-grain roles and access than 6.x

In this post, we'll install the required JDK, Tomcat, configure Tomcat as a service, create a start/stop/restart script, and (optionally) configure Tomcat to run under a non-root user.

For this installation, we'll use Tomcat 7.0.19, the current stable release of Tomcat 7. This post began with the first Tomcat 7 release and I have tried to keep it updated to keep things as "copy and paste" as possible.

I've also updated the post for JDK 6, Update 26.

To begin, we'll need to install the Java Development Kit (JDK) 1.6

JDK 1.6 is the minimum JDK version for Tomcat 7.

If you do have the JDK installed, you can skip to: Step 2: Download and Unpack Tomcat 7.0.19:

The above script is simple and contains all of the basic elements you will need to get going.

As you can see, we are simply calling the startup.sh and shutdown.sh scripts located in the Tomcat bin directory (/usr/share/apache-tomcat-7.0.19/bin).

You can adjust your script according to your needs and, in subsequent posts, we'll look at additional examples.

CATALINA_HOME is the Tomcat home directory (/usr/share/apache-tomcat-7.0.19)

Now, set the permissions for your script to make it executable:

[root@srv6 init.d]# chmod 755 tomcat

We now use the chkconfig utility to have Tomcat start at boot time. In my script above, I am using chkconfig: 234 20 80. 2445 are the run levels and 20 and 80 are the stop and start priorities respectively. You can adjust as needed.

http://yourdomain.com:8080 or http://yourIPaddress:8080 and we should see the Tomcat home page.

Step 4: Configuring Tomcat Manager Access.

Tomcat 7 contains a number of changes that offer finer-grain roles.

For security reasons, no users or passwords are created for the Tomcat manager roles by default. In a production deployment, it is always best to remove the Manager application.

To set roles, user name(s) and password(s), we need to configure the tomcat-users.xml file located at $CATALINA_HOME/conf/tomcat-users.xml.

In the case of our installation, $CATALINA_HOME is located at /usr/share/apache-tomcat-7.0.19.

By default the Tomcat 7 tomcat-users.xml file will look as below.

<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users>
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary.
-->
<!--
NOTE: The sample user and role entries below are wrapped in a comment
and thus are ignored when reading this file. Do not forget to remove
<!.. ..> that surrounds them.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="both" password="tomcat" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/>
-->
</tomcat-users>

Note that while examples are provided, the elements between the <tomcat-users> and </tomcat-users> tags have been commented-out.

Note: it is possible to enhance our security still further by making certain files and directories read-only. This will not be covered in this post and care should be used when setting such permissions.

4. Adjust the start/stop service script we created above. In our new script, we need to su to the user tomcat:

Hi, I followed the tutorial and everything worked great, except the last part where we setup the iptables so tomcat can run on port 80 as non-root user.

I add the 2 lines to the iptables but it doesn't seem to work. Also, when I try to restart, my website is getting a timeout both on port 80 as well as port 8080 (where it was working fine before adding the 2 iptables)

If anyone else is having this problem...Once you enter the new iptable rules, if you restart iptables without saving it first, it gets reset to the original version. I was able to solve it by saving it first with the command:

Thanks for make it easy for all. Its working fine but some times whenever i am trying to restart the service it doesn't start the service but in second time it start. Could i use this configuration in production except security issue. Because in my environment security is not big deal,have to care performance.

Tanx for the post. Quick question: Would it be advisable to have a custom Tomcat installation in production environment as compared to the default sys install apt-get/yum? Your response will be appreciated. Thanx

Hi Nesar -Thanks. You should check your logs regarding the stop/start.AFA production, I sometimes use above. For small sites I sometimes run as root out of general laziness and not wanting to SU every five minutes. For others, I'll use SSL and lock everything down. How much security measures you put in place (or don't) depends on your needs. MuleSoft has a nice checklist here: http://www.mulesoft.com/tomcat-security

Hi Dayo - You are welcome. Every disto pulls down something different (some pull down nothing). I'm not familiar with all of them and I would recommend simply downloading and installing the latest tomcat and jdk to insure you are getting the latest security and bug fixes.

If you have more than one IP-address on the server and tomcat utilizes not the first one (typical situation when server runs many tomcats), the "-j REDIRECT" featue won't work, because it redirects trafic to the first ip-address found on the interface. In this case you need something like this:

Mr. Devid Thank you vary much for the great blog post providing the configuration part of the tomcat. I am really vary much thankful because due to your blog I could pass my technical interview based on tomcat. So once again thank you vary much and god bless you for your glorious life.

Just wanted to say thank you for a comprehensive installation notes. It's hard to find something this details and allowed to complete tomcat installation and its service in a couple hour. One note to add, I found the most current tomcat download link is to go directly to apache tomcat website, http://tomcat.apache.org/download-70.cgi, then copy the link to use with wget.